T1560: Archive Collected Data
An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Both compression and encryption are done prior to exfiltration, and can be performed using a utility, 3rd party library, or custom method.
Positive Technologies products that cover the technique
MaxPatrol SIEM knowledge base
Subtechniques
Detection
ID | DS0017 | Data source and component | Command: Command Execution | Description | Monitor executed commands and arguments for actions that will aid in compression or encrypting data that is collected prior to exfiltration, such as tar. |
---|
ID | DS0012 | Data source and component | Script: Script Execution | Description | Monitor for any attempts to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent. |
---|
ID | DS0009 | Data source and component | Process: Process Creation | Description | Monitor for newly constructed processes and/or command-lines that aid in compression or encrypting data that is collected prior to exfiltration, such as 7-Zip, WinRAR, and WinZip. |
---|
ID | DS0022 | Data source and component | File: File Creation | Description | Monitor newly constructed files being written with extensions and/or headers associated with compressed or encrypted file types. Detection efforts may focus on follow-on exfiltration activity, where compressed or encrypted files can be detected in transit with a network intrusion detection or data loss prevention system analyzing file headers. |
---|
Mitigation
ID | M1047 | Name | Audit | Description | System scans can be performed to identify unauthorized archival utilities. |
---|